The “Cannibal Cop” and Protection of Computerized Data

In an unusual criminal case, the Second Circuit Court of Appeals recently weighed in on an important question at the intersection of employment law and data security. The decision will likely have implications wherever questions arise about unauthorized access and use of computerized data—from a disloyal employee who extracts trade secrets from an employer’s system in violation of an employment agreement, to a business that scrapes valuable information from a competitor’s website for competitive use in violation of the site’s use provisions.

The issue concerned the interpretation of the Computer Fraud and Abuse Act (“CFAA”), a statute that imposes both criminal and civil liability on any person who “exceeds authorized access” to a computer and obtains information from it. 18 U.S.C. § 1030. The federal courts have been divided on whether someone who is authorized to access particular information from a computer but does so for an impermissible purpose has violated the statute. The Second Circuit said no: if a person is authorized to access particular information from the computer, the fact that he or she did so in violation of the terms under which he or she was permitted access does not make the conduct unlawful under the CFAA.